Professional Documents
Culture Documents
lOMoARcPSD|20692971
I. INTRODUCTION
This Privacy Manual is hereby adopted in compliance with
Republic Act No. 10173 or the Data Privacy Act of 2012 (DPA), its
Implementing Rules and Regulations (IRR), and other relevant policies,
including issuances of the National Privacy Commission.
III. DEFINITIONS
and maintained by the School). The Data subjects have the right to be
informed [Article V Section C (i)] and object or complain [Article IX ii
and ii], right to access [Article VIII (B)] their individual information, and
the right to correct, rectify or block [Article VII (I and ii)] any erroneous or
false information.
a. Public- these are information readily available and may be disclosed to the
public. Examples: VP-GREEN VALE ACADEMY INC offices directory,
subject offerings, names of officers, Principal and teachers as stated in the
Administration portion of the VP-GREEN VALE ACADEMY INC social
media pages published research containing the names of teachers and
students
b. Confidential- Those which are declared confidential by law or policy of
VP-GREEN VALE ACADEMY INC and which may only be processed
by authorized personnel, and if disclosed may cause material harm to the
School, or information is sensitive in nature as will affect the health or
well-being of the individual.
Examples: Employee and student names, addresses, contact numbers, SSS,
PhilHealth, Passport numbers, student and employee’s health information,
student counselling and medical records (Data Privacy Law); financial
information of parents and students and employees, and student records ,
Employee 201 files and the information contained therein (Labor Code)
c. Classified- These are information the access of which is highly restricted,
and if disclosed may cause severe or serious harm or injury to the
lOMoARcPSD|20692971
O. “Privileged information” refers to any and all forms of data, which, under
the Rules of Court and other pertinent laws constitute privileged
communication.
i. an individual’s race, ethnic origin, marital status, age, color, and religious,
philosophical or political affiliations.
ii. an individual’s health, education, genetic or sexual life of a person, or to
any proceeding for any offense committed or alleged to have been
committed by such individual, the disposal of such proceedings, or the
sentence of any court in such proceedings.
iii. issued by government agencies peculiar to an individual which includes,
but is not limited to, social security numbers, previous or current health
records, licenses or its denials, suspension or revocation, and tax returns
iv. Specifically established by an executive order or an act of Congress to be
kept classified.
6
lOMoARcPSD|20692971
Example: In the enrolment process, upperclassmen are required to fill out the
Student Data Sheet. The purpose of such collection of information is stated in the
form and the consent of the student is obtained through the form which is filled
out and signed by the student.
7
lOMoARcPSD|20692971
iii. Health Services Department and Center for Guidance and Counseling
The Health Services Department collects sensitive information
relating to the medical and dental health of students for monitoring
pursuant to the provisions of the Manual of Regulations for Private School
in Basic Education.
C. Privacy Policies
To ensure that the rights of the data subjects are protected, the above-
mentioned departments are subject to the following policies:
9
lOMoARcPSD|20692971
MORPE.
Example: For foreign students, nationality, ACR numbers, passport numbers and
the contact numbers of the parents are guardians are necessary in case of
emergencies and other situations where the student’s parents or embassy are
required to be notified.
a. Primary Purpose
b. Secondary Purposes
i. the student or employee has consented to the use or disclosure for the
secondary purpose; or
ii. the student or employee would reasonably expect the School through its
authorized personnel to use, or process personal information for secondary
purpose and that the secondary purposes are directly related to the primary
purposes; or
lOMoARcPSD|20692971
iii. The processing is necessary to protect the life and health of the data
subject or another person, and the data subject is not legally or physically
able to express his or her consent prior to the processing.
iv. The processing is necessary to achieve the lawful and noncommercial
objectives of public organizations and their associations provided that
the processing is confined and related to the bona fide members of these
organizations or their associations; the sensitive personal information are
not transferred to third parties; and consent of the data subject was
obtained prior to processing.
v. The processing is necessary for the purpose of medical treatment:
Provided, that it is carried out by a medical practitioner or a medical
treatment institution, and an adequate level of protection of personal data
is ensured.
vi. The processing concerns sensitive personal information or privileged
information necessary for the protection of lawful rights and interests of
natural or legal persons in court proceedings, or the establishment,
exercise, or defense of legal claims, or when provided to government or
public authority pursuant to a constitutional or statutory mandate.
a. Verification of information
Authorized school personnel must take reasonable steps to ensure
that the personal information collected or processed, up-to-date, complete,
relevant and not misleading.
The information collected from students and employees is verified
by the particular departments collecting the information. Student
information is verified by the School Registrar’s Office while the HRD
conducts the verification of employee information and background
checks.
b. Correction, or update of information
Students may update their personal information through forms
available from the School Registrar’s Office, or in their respective
Schools, while for employees they may write to or directly go to the HRD
Office to update their information. In case of erroneous or false
information, the students or employees may have the information
lOMoARcPSD|20692971
A. Security Measures
i. Organizational Measures
The School has data privacy policies are contained in the institutional Data
Privacy Manual which is reviewed annually and regularly updated.
c) Conduct of Awareness Campaign and Data Privacy Trainings
Data subjects may inquire or request for information from the Data
Privacy Response Team, regarding any matter relating to the processing of
their personal data under the custody of VP-GREEN VALE ACADEMY
INC, including the data privacy and security policies implemented to
ensure the protection of their personal data.
The DPO may also convene the entire team in case of a complaint,
or motu-propio in case the violation of policies or data breach, loss,
unauthorized access or destruction as an investigation committee to
recommend actions, particularly when the violation is serious or causes or
has the potential to cause material damage to the School or any of its
students or employees. Such recommendation shall be submitted to the
President of the School for approval. Any appeal on such approved
recommendation/Decision shall be made by any of the affected parties
within 15 days from receipt of the approved Decision.
X. PRIVACY IMPACT ASSESSMENTS
XI. EFFECTIVITY
The provisions of this revised Manual shall take effect on June, 2022.
XII. ANNEXES
Begun and held in Metro Manila, on Monday, the twenty-fifth day of July,
SECTION 1. Short Title. – This Act shall be known as the “Data Privacy
Act of 2012”.
(b) Consent of the data subject refers to any freely given, specific,
informed indication of will, whereby the data subject agrees to the
collection and processing of personal information about and/or relating to
him or her. Consent shall be evidenced by written, electronic or recorded
means. It may also be given on behalf of the data subject by an agent
specifically authorized by the data subject to do so.
(k) Privileged information refers to any and all forms of data which under
the Rules of Court and other pertinent laws constitute privileged
communication.
(1) About an individual’s race, ethnic origin, marital status, age, color,
and religious, philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual life of a
person, or to any proceeding for any offense committed or alleged to have
been committed by such person, the disposal of such proceedings, or the
sentence of any court in such proceedings;
SEC. 4. Scope. – This Act applies to the processing of all types of personal
information and to any natural and juridical person involved in personal
information processing including those personal information controllers
and processors who, although not found or established in the Philippines,
use equipment that are located in the Philippines, or those who maintain an
office, branch or agency in the Philippines subject to the immediately
succeeding paragraph: Provided, That the requirements of Section 5 are
complied with.
(1) The fact that the individual is or was an officer or employee of the
government institution;
(2) The title, business address and office telephone number of the individual;
(3) The classification, salary range and responsibilities of the position held by
the individual; and
(f) Information necessary for banks and other financial institutions under
the jurisdiction of the independent, central monetary authority or Bangko
Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic
Act No. 9160, as amended, otherwise known as the Anti-Money
Laundering Act and other applicable laws; and
(b) The entity has a link with the Philippines, and the entity is processing
personal information in the Philippines or even if the processing is outside
the Philippines as long as it is about Philippine citizens or residents such
as, but not limited to, the following:
(c) The entity has other links in the Philippines such as, but not limited to:
21
lOMoARcPSD|20692971
CHAPTER II
THE NATIONAL PRIVACY COMMISSION
(c) Issue cease and desist orders, impose a temporary or permanent ban on
the processing of personal information, upon finding that the processing
will be detrimental to national security and public interest;
(f) Coordinate with other government agencies and the private sector on
efforts to formulate and implement plans and policies to strengthen the
protection of personal information in the country;
(g) Publish on a regular basis a guide to all laws relating to data protection;
(n) Ensure proper and effective coordination with data privacy regulators
in other countries and private accountability agents, participate in
international and regional initiatives for data privacy protection;
(o) Negotiate and contract with other data privacy authorities of other
countries for cross-border application and implementation of respective
privacy laws;
CHAPTER III
PROCESSING OF PERSONAL INFORMATION
(c) Accurate, relevant and, where necessary for purposes for which it is to
be used the processing of personal information, kept up to date; inaccurate
or incomplete data must be rectified, supplemented, destroyed or their
further processing restricted;
(d) Adequate and not excessive in relation to the purposes for which they
are collected and processed;
(e) Retained only for as long as necessary for the fulfillment of the
purposes for which the data was obtained or for the establishment, exercise
or defense of legal claims, or for legitimate business purposes, or as
provided by law; and
(f) The processing is necessary for the purposes of the legitimate interests
pursued by the personal information controller or by a third party or
parties to whom the data is disclosed, except where such interests are
lOMoARcPSD|20692971
(a) The data subject has given his or her consent, specific to the purpose
prior to the processing, or in the case of privileged information, all parties
to the exchange have given their consent prior to processing;
(b) The processing of the same is provided for by existing laws and
regulations: Provided, That such regulatory enactments guarantee the
protection of the sensitive personal information and the privileged
information: Provided, further, That the consent of the data subjects are
not required by law or regulation permitting the processing of the sensitive
personal information or the privileged information;
(c) The processing is necessary to protect the life and health of the data
subject or another person, and the data subject is not legally or physically
able to express his or her consent prior to the processing;
CHAPTER IV
RIGHTS OF THE DATA SUBJECT
SEC. 16. Rights of the Data Subject. – The data subject is entitled to:
(5) Methods utilized for automated access, if the same is allowed by the
data subject, and the extent to which such access is authorized;
(6) The identity and contact details of the personal information controller or its
representative;
(7) The period for which the information will be stored; and
(8) The existence of their rights, i.e., to access, correction, as well as the
right to lodge a complaint before the Commission.
(d) Dispute the inaccuracy or error in the personal information and have
the personal information controller correct it immediately and accordingly,
unless the request is vexatious or otherwise unreasonable. If the personal
information have been corrected, the personal information controller shall
ensure the accessibility of both the new and the retracted information and
the simultaneous receipt of the new and the retracted information by
recipients thereof: Provided, That the third parties who have previously
received such processed personal information shall he informed of its
inaccuracy and its rectification upon reasonable request of the data subject;
SEC. 17. Transmissibility of Rights of the Data Subject. – The lawful heirs
and assigns of the data subject may invoke the rights of the data subject
for, which he or she is an heir or assignee at any time after the death of the
data subject or when the data subject is incapacitated or incapable of
exercising the rights as enumerated in the immediately preceding section.
lOMoARcPSD|20692971
SEC. 18. Right to Data Portability. – The data subject shall have the right,
where personal information is processed by electronic means and in a
structured and commonly used format, to obtain from the personal
information controller a copy of data undergoing processing in an
electronic or structured format, which is commonly used and allows for
further use by the data subject. The Commission may specify the
electronic format referred to above, as well as the technical standards,
modalities and procedures for their transfer.
CHAPTER V
SECURITY OF PERSONAL INFORMATION
(4) Regular monitoring for security breaches and a process for taking
preventive, corrective and mitigating action against security incidents that
can lead to a security breach.
(d) The personal information controller must further ensure that third
parties processing personal information on its behalf shall implement the
security measures required by this provision.
CHAPTER VI
ACCOUNTABILITY FOR TRANSFER OF PERSONAL
INFORMATION
CHAPTER VII
SECURITY OF SENSITIVE PERSONAL INFORMATION IN
GOVERNMENT
lOMoARcPSD|20692971
The requirements of this subsection shall be implemented not later than six
(6) months after the date of the enactment of this Act.
this Act and to comply with the other provisions of this Act including the
immediately preceding section, in the same manner as agencies and
government employees comply with such requirements.
not less than Five hundred thousand pesos (Php500,000.00) but not more
than One million pesos (Php1,000,000.00).
SEC. 36. Offense Committed by Public Officer. – When the offender or the
person responsible for the offense is a public officer as defined in the
Administrative Code of the Philippines in the exercise of his or her duties,
an accessory penalty consisting in the disqualification to occupy public
office for a term double the term of criminal penalty imposed shall he
lOMoARcPSD|20692971
applied.
SEC. 39. Implementing Rules and Regulations (IRR). – Within ninety (90)
days from the effectivity of this Act, the Commission shall promulgate the
rules and regulations to effectively implement the provisions of this Act.
In case that the DICT has not yet been created by the time the law takes
full force and effect, the National Privacy Commission shall be attached to
the Office of the President.
SEC. 43. Separability Clause. – If any provision or part hereof is held invalid
or unconstitutional, the remainder of the law or the provision not otherwise
affected shall remain valid and subsisting.
SEC. 45. Effectivity Clause. – This Act shall take effect fifteen (15) days
after its publication in at least two (2) national newspapers of general
circulation.
Approved,
(Sgd.) (Sgd.)
FELICIANO JUAN
BELMONTE PONCE
JR. ENRILE
Speaker of the President of
House the Senate
of
Representatives
This Act which is a consolidation of Senate Bill No. 2965 and House Bill
No. 4115 was finally passed by the Senate and the House of
Representatives on June 6, 2012.
(Sgd.) (Sgd.)
MARILYN EMMA
B. BARUA- LIRIO-
YAP REYES
Secretary Secretary
General of the
Senate
House of
Representativ
es
(Sgd.) BENIGNO S.
AQUINO III
President of the Philippines
lOMoARcPSD|20692971
35
lOMoARcPSD|20692971
1. Title
2. Policy
3. Definitions
4. Scope
5. Special Cases
6. Protection afforded to data subjects
7. Protection afforded to journalists and their sources Rule III.
8. Mandate
9. Functions
10. Administrative Issuances
11. Reports and Public Information
12. Confidentiality of Personal Data
13. Organizational Structure
14. Secretariat
15. Effect of Lawful Performance of Duty
16. Magna Carta for Science and Technology Personnel Rule IV.
Data
Data Subject
66. Appeal
67. Period for Compliance
68. Appropriations Clause
69. Interpretation
70. Separability Clause
71. Repealing Clause
72. Effectivity Clause
lOMoARcPSD|20692971
38
lOMoARcPSD|20692971
a. “Act” refers to Republic Act No. 10173, also known as the Data Privacy
Act of 2012;
There is control if the natural or juridical person or any other body decides
on what information is collected, or the purpose or extent of its processing;
Section 4. Scope. The Act and these Rules apply to the processing of
personal data by any natural and juridical person in the government or
private sector. They apply to an act done or practice engaged in and
lOMoARcPSD|20692971
Section 5. Special Cases. The Act and these Rules shall not apply to the
following specified information, only to the minimum extent of collection,
access, use, disclosure or other processing necessary to the purpose,
function, or activity concerned:
(a) The fact that the individual is or was an officer or employee of the
government;
(b) The title, office address, and office telephone number of the individual;
(c) The classification, salary range, and responsibilities of the position held by the
individual;
and
lOMoARcPSD|20692971
Provided, that the non-applicability of the Act or these Rules do not extend
to personal information controllers or personal information processors,
lOMoARcPSD|20692971
b. The burden of proving that the Act and these Rules are not applicable
to a particular information falls on those involved in the processing of
personal data or the party claiming the non-applicability.
amend rules and regulations for the effective implementation of the Act.
This includes:
violations of the Act, these Rules, and other issuances of the Commission,
including violations of the rights of data subjects and other matters
affecting personal data;
which include:
Section 11. Reports and Information. The Commission shall report annually
to the President and Congress regarding its activities in carrying out the
provisions of the Act, these Rules, and its other issuances. It shall undertake
all efforts it deems necessary or appropriate to inform and educate the public
of data privacy, data protection, and fair information rights and
responsibilities. Section 12. Confidentiality of Personal Data. Members,
employees, and consultants of the Commission shall ensure at all times the
confidentiality of any personal data that come to their knowledge and
possession: Provided, that such duty of confidentiality shall remain even after
their term, employment, or contract has ended. Section 13. Organizational
Structure. The Commission is attached to the Department of Information and
Communications Technology for policy and program coordination in
accordance with Section 38(3) of Executive Order No. 292, series of 1987,
also known as the Administrative Code of 1987. The Commission shall
remain completely independent in the performance of its functions. The
Commission shall be headed by a Privacy Commissioner, who shall act as
Chairman of the Commission. The Privacy Commissioner must be at least
thirty-five (35) years of age and of good moral character, unquestionable
integrity and known probity, and a recognized expert in the field of
information technology and data privacy. The Privacy Commissioner shall
enjoy the benefits, privileges, and emoluments equivalent to the rank of
Secretary. The Privacy Commissioner shall be assisted by two (2) Deputy
Privacy Commissioners. One shall be responsible for Data Processing
Systems, while the other shall be responsible for Policies and Planning. The
Deputy Privacy Commissioners must be recognized expert in the field of
information and communications technology and data privacy. They shall enjoy
the benefits, privileges, and emoluments equivalent to the rank of Undersecretary.
Section
14. Secretariat. The Commission is authorized to establish a Secretariat,
which shall assist in the performance of its functions. The Secretariat shall
be headed by an Executive Director and shall be organized according to
the following offices:
lOMoARcPSD|20692971
Section 17. General Data Privacy Principles. The processing of personal data
shall be allowed, subject to compliance with the requirements of the Act and
other laws allowing disclosure of information to the public, and adherence to
the principles of transparency, legitimate purpose, and proportionality.
Section 18. Principles of Transparency, Legitimate Purpose and
Proportionality.
1. Processing shall uphold the rights of the data subject, including the
right to refuse, withdraw consent, or object. It shall likewise be
transparent, and allow the data subject sufficient information to know the
nature and extent of processing.
plain language to ensure that they are easy to understand and access.
49
lOMoARcPSD|20692971
(a) for the fulfillment of the declared, specified, and legitimate purpose,
or when the processing relevant to the purpose has been terminated;
b. Data Sharing shall be allowed in the private sector if the data subject
consents to data sharing, and the following conditions are complied with:
1. Consent for data sharing shall be required even when the data is to be
shared with an affiliate or mother company, or similar relationships;
(a) The data sharing agreement shall establish adequate safeguards for
data privacy and security, and uphold rights of data subjects.
(e) Existence of the rights of data subjects, including the right to access
and correction, and the right to object;
(f) Other information that would sufficiently notify the data subject of the
nature and extent of data sharing and the manner of processing.
c. Data collected from parties other than the data subject for purpose of
research shall be allowed when the personal data is publicly available, or
has the consent of the data subject for purpose of research: Provided, that
adequate safeguards are in place, and no decision directly affecting the
data subject shall be made on the basis of the data collected or processed.
The rights of the data subject shall be upheld without compromising
research integrity.
a. The data subject must have given his or her consent prior to the
collection, or as soon as practicable and reasonable;
c. The processing is necessary to protect the life and health of the data
subject or another person, and the data subject is not legally or physically
able to express his or her consent prior to the processing;
2. The sensitive personal information are not transferred to third parties; and
3. General information about the data flow within the organization, from
the time of collection, processing, and retention, including the time limits
for disposal or erasure of personal data;
The said employees, agents, or representatives shall operate and hold personal
data under strict confidentiality if the personal data are not intended for public
lOMoARcPSD|20692971
disclosure. This obligation shall continue even after leaving the public service,
transferring to another position, or upon terminating their employment or
contractual relations. There shall be capacity building, orientation or training
programs for such employees, agents or representatives, regarding privacy or
security policies.
4. Policies and procedures for data subjects to exercise their rights under the
Act;
5. Data retention schedule, including timeline or conditions for erasure or
disposal of records.
processor, the Commission shall take into account the nature of the
personal data that requires protection, the risks posed by the processing,
the size of the organization and complexity of its operations, current data
privacy best practices, and the cost of security implementation. The
security measures provided herein shall be subject to regular review and
evaluation, and may be updated as necessary by the Commission in
separate issuances, taking into account the most appropriate standard
recognized by the information and communications technology industry
and data privacy best practices.
56
lOMoARcPSD|20692971
(b) Sufficient organizational, physical and technical security measures have been
established;
(d) The employee of the government is only given online access to sensitive
personal information necessary for the performance of official functions or the
provision of a public service.
b. Off-site access.
Section 34. Rights of the Data Subject. The data subject is entitled to the
following rights:
a. Right to be informed.
(b) Purposes for which they are being or will be processed, including
processing for direct marketing, profiling or historical, statistical or
scientific purpose;
(c) Basis of processing, when processing is not based on the consent of the data
subject;
(e) The recipients or classes of recipients to whom the personal data are or may
be disclosed;
(f) Methods utilized for automated access, if the same is allowed by the
lOMoARcPSD|20692971
data subject, and the extent to which such access is authorized, including
meaningful information about the logic involved, as well as the
significance and the envisaged consequences of such processing for the
data subject;
(g) The identity and contact details of the personal data controller or its
representative;
(h) The period for which the information will be stored; and
(i) The existence of their rights as data subjects, including the right to
access, correction, and object to the processing, as well as the right to
lodge a complaint before the Commission.
b. Right to object. The data subject shall have the right to object to the
processing of his or her personal data, including processing for direct
marketing, automated processing or profiling. The data subject shall also
be notified and given an opportunity to withhold consent to the processing
in case of changes or any amendment to the information supplied or
declared to the data subject in the preceding paragraph.
c. Right to Access. The data subject has the right to reasonable access to,
upon demand, the following:
to, be made as the sole basis for any decision that significantly affects or
will affect the data subject;
7. Date when his or her personal data concerning the data subject were
last accessed and modified; and
d. Right to rectification. The data subject has the right to dispute the
inaccuracy or error in the personal data and have the personal information
controller correct it immediately and accordingly, unless the request is
vexatious or otherwise unreasonable. If the personal data has been corrected,
the personal information controller shall ensure the accessibility of both the
new and the retracted information and the simultaneous receipt of the new and
the retracted information by the intended recipients thereof: Provided, That
recipients or third parties who have previously received such processed
personal data shall be informed of its inaccuracy and its rectification, upon
reasonable request of the data subject.
e. Right to Erasure or Blocking. The data subject shall have the right to
suspend, withdraw or order the blocking, removal or destruction of his or
her personal data from the personal information controller’s filing system.
1. This right may be exercised upon discovery and substantial proof of any of the
following:
(b) The personal data is being used for purpose not authorized by the data
subject;
(c) The personal data is no longer necessary for the purposes for which they
were collected;
(d) The data subject withdraws consent or objects to the processing, and
there is no other legal ground or overriding legitimate interest for the
processing;
2. The personal information controller may notify third parties who have
lOMoARcPSD|20692971
Section 35. Transmissibility of Rights of the Data Subject. The lawful heirs
and assigns of the data subject may invoke the rights of the data subject to
which he or she is an heir or an assignee, at any time after the death of the
data subject, or when the data subject is incapacitated or incapable of
exercising the rights as enumerated in the immediately preceding section.
Section 36. Right to Data Portability. Where his or her personal data is
processed by electronic means and in a structured and commonly used format,
the data subject shall have the right to obtain from the personal information
controller a copy of such data in an electronic or structured format that is
commonly used and allows for further use by the data subject. The exercise of
this right shall primarily take into account the right of data subject to have
control over his or her personal data being processed based on consent or
contract, for commercial purpose, or through automated means. The
Commission may specify the electronic format referred to above, as well as
the technical standards, modalities, procedures and other rules for their
transfer. Section 37. Limitation on rights. The immediately preceding sections
shall not be applicable if the processed personal data are used only for the needs
of scientific and statistical research and, on the basis of such, no activities are
carried out and no decisions are taken regarding the data subject: Provided, that
the personal data shall be held under strict confidentiality and shall be used only
for the declared purpose. The said sections are also not applicable to the
processing of personal data gathered for the purpose of investigations in relation
to any criminal, administrative or tax liabilities of a data subject. Any limitations
on the rights of the data subject shall only be to the minimum extent necessary to
achieve the purpose of said research or investigation.
a. The contract or legal act shall set out the subject-matter and duration
of the processing, the nature and purpose of the processing, the type of
personal data and categories of data subjects, the obligations and rights of
the personal information controller, and the geographic location of the
processing under the subcontracting agreement.
b. The contract or other legal act shall stipulate, in particular, that the
personal information processor shall:
the Act, these Rules, other relevant laws, and other issuances of the
Commission, taking into account the nature of processing and the
information available to the personal information processor;
Section 46. Enforcement of the Data Privacy Act. Pursuant to the mandate
of the Commission to administer and implement the Act, and to ensure the
compliance of personal information controllers with its obligations under
the law, the Commission requires the following:
10. Name and contact details of the compliance or data protection officer,
which shall immediately be updated in case of changes.
b. The procedure for registration shall be in accordance with these Rules
and other issuances of the Commission.
1. Purpose of processing;
8. Decisions relating to the data subject that would be made on the basis
of processed data or that would significantly affect the rights and freedoms
of data subject; and
Section 49. Review by the Commission. The following are subject to the
review of the Commission, upon its own initiative or upon the filing of a
complaint by a data subject:
Section 51. Accountability for Violation of the Act, these Rules and Other
Issuances of the Commission.
b. In cases where a data subject files a complaint for violation of his or her
rights as data subject, and for any injury suffered as a result of the processing
of his or her personal data, the Commission may award indemnity on the basis
of the applicable provisions of the New Civil Code.
evidence.
Rule XIII. Penalties
a. A penalty of imprisonment ranging from six (6) months to two (2) years
and a fine of not less than One hundred thousand pesos (Php100,000.00) but
not more than Five hundred thousand pesos (Php500,000.00) shall be imposed
on persons who knowingly or negligently dispose, discard, or abandon the
personal information of an individual in an area accessible to the public or has
otherwise placed the personal information of an individual in its container for
trash collection.
lOMoARcPSD|20692971
by a data subject shall be subject to the payment of filing fees, unless the data
subject is an indigent. Section 65. Fines and Penalties. Violations of the Act,
these Rules, other issuances and orders of the Commission, shall, upon notice and
hearing, be subject to compliance and enforcement orders, cease and desist
orders, temporary or permanent ban on the processing of personal data, or
payment of fines, in accordance with a schedule to be published by the
Commission.
Section 66. Appeal. Appeal from final decisions of the Commission shall be
made to the proper courts in accordance with the Rules of Court, or as may be
prescribed by law. Section 67. Period for Compliance. Any natural or
juridical person or other body involved in the processing of personal data shall
comply with the personal data processing principles and standards of personal
data privacy and security already laid out in the Act. Personal information
controllers and Personal Information processors shall register with the
Commission their data processing systems or automated processing
operations, subject to notification, within one (1) year after the effectivity of
these Rules. Any subsequent issuance of the Commission, including those that
implement specific standards for data portability, encryption, or other security
measures shall provide the period for its compliance. For a period of one (1)
year from the effectivity of these Rules, a personal information controller or
personal information processor may apply for an extension of the period
within which to comply with the issuances of the Commission. The
Commission may grant such request for good cause shown. Section 68.
Appropriations Clause. The Commission shall be provided with
appropriations for the performance of its functions which shall be included in
the General Appropriations Act. Section 69. Interpretation. Any doubt in the
interpretation of any provision of this Act shall be liberally interpreted in a
manner that would uphold the rights and interest of the individual about
whom personal data is processed. Section 70. Separability Clause. If any
provision or part hereof is held invalid or unconstitutional, the remainder of
these Rules or the provision not otherwise affected shall remain valid and
subsisting. Section 71. Repealing Clause. Except as otherwise expressly
provided in the Act or these Rules, all other laws, decrees, executive orders,
proclamations and administrative regulations or parts thereof inconsistent
herewith are hereby repealed or modified accordingly. Section 72. Effectivity
Clause. These Rules shall take effect fifteen
(15) days after its publication in the Official Gazette.